From 1175ff837d6dc1a4aa416265066d75a427ef0886 Mon Sep 17 00:00:00 2001 From: Keith Buck Date: Thu, 29 Dec 2016 05:44:18 +0000 Subject: [PATCH] extensions/extb_channel: Allow matching secret channels. This change modifies extb_channel to allow matching users in secret channels, which prevents trivial ban evasion by setting the target channel +s. Information leak due to this change is unlikely since the attacker would have to know that the target channel exists, the name of the channel (or guess it), have a specific user they wanted to know whether was in the channel (and not know already), and the target user would need to have something like autojoin-on-invite enabled (or any of the other various ways hostname cloaking is attacked). --- extensions/extb_channel.c | 5 +---- help/opers/extban | 6 +----- 2 files changed, 2 insertions(+), 9 deletions(-) diff --git a/extensions/extb_channel.c b/extensions/extb_channel.c index 3225d076..0de1d6dd 100644 --- a/extensions/extb_channel.c +++ b/extensions/extb_channel.c @@ -1,5 +1,5 @@ /* - * Channel extban type: matches users who are in a certain public channel + * Channel extban type: matches users who are in a certain channel * -- jilles */ @@ -47,8 +47,5 @@ static int eb_channel(const char *data, struct Client *client_p, /* require consistent target */ if (chptr->chname[0] == '#' && data[0] == '&') return EXTBAN_INVALID; - /* privacy! don't allow +s/+p channels to influence another channel */ - if (!PubChannel(chptr2) && chptr2 != chptr) - return EXTBAN_INVALID; return IsMember(client_p, chptr2) ? EXTBAN_MATCH : EXTBAN_NOMATCH; } diff --git a/help/opers/extban b/help/opers/extban index 90d86f1f..5a0e8e68 100644 --- a/help/opers/extban +++ b/help/opers/extban @@ -18,11 +18,7 @@ Unless noted below, all types can be used with +b, +q, +e and +I. $a - Matches all logged in users $a: - Matches users logged in with a username matching the mask (* and ? wildcards) - $c: - Matches users who are on the given channel; this is only - valid if the channel exists and is not +s or +p. (The ops - of the channel the ban is on cannot necessarily see whether - the user is in the target channel, so it should not - influence whether they can join either.) + $c: - Matches users who are on the given channel $o - Matches opers (most useful with +I) $r: - Matches users with a realname (gecos) matching the mask (* and ? wildcards); this can only be used with +b and +q